Calico API
API Reference
getCalico.com
API Reference
getCalico.com
  1. Platform API
  • Overview
    • Use Cases
    • Getting started
    • Calico Connect
  • Platform API
    • Authentication
    • OAuth
      • Authorization Callback
    • Providers
      • Add providers
      • List providers
      • Remove providers
    • Assets
      • User assets
      • Refresh asset list
    • Transactions
      • Transactions
      • Refresh transactions
  • Resources
    • Response codes
    • FAQs
  • Schemas
    • Schemas
      • OpenAPIIntegrationResponse
      • CalicoErrorResponse
      • RefreshResponse
      • CryptoSourceId
      • OpenAPIAssetPosition
      • CryptoSourceCredentialAuthType
      • Add Crypto Source
      • Add Crypto Source Response
      • CryptoSourceDescriptor
      • OpenAPIDeleteCryptoSourceRequest
      • number
      • OpenAPIGetConsentURLForThirdPartyResponse
      • TransactionType
      • OpenAPITransactionCategorization
      • OpenAPIFeeItem
      • OpenAPIFeeObject
      • OpenAPICurrencyValue
      • Input only transactions
      • Transactions data
      • Send transaction data
      • Output only transaction data
      • Receive transaction data
      • Transactions with input and output
      • Uncategorized transaction data
API Reference
getCalico.com
API Reference
getCalico.com
  1. Platform API

Authentication

To integrate an end-user’s data into your application, they must first authenticate with their digital assets and grant permission for their data to be shared.

Authentication flow#

Calico uses the OAuth 2.0 PKCE flow to keep user authentication secure and seamless. This industry-standard approach ensures that users can connect their financial accounts and share data with your app—without needing to manage sensitive credentials.

How to integrate users' financial data#

1
End-user Calico account creation
The user creates a Calico account by providing an email address or phone number.
2
User Authentication
The user is redirected to authenticate with their financial provider.
3
User Consent
The user grants permission to share their data with your app.
4
Token Issuance
Calico returns an access token and refresh token.
5
Data Access
Your app uses the access token to retrieve user data via Calico’s API.

Authorization code#

Your app must have a redirect URI, client ID, and client secret. Authenticate the user in your app or with Calico Connect. On success, retrieve the temporary authorization code.

Authenticate with Calico Connect#

https://widget.getcalico.com?client_id=<CLIENT_ID>&code_challenge=<USER_GENERATED>&code_challenge_method=<USER_GENERATED>&state=<USER_GENERATED>

Tokens#

Using the temporary authorization code and your app credentials, make a token request. Access and refresh tokens will be returned. Use the access token as the bearer token for Calico API data calls.

Access tokens#

Token types#

Token TypePurposeLifespanStorage Best Practices
Access TokenGrants temporary access to protected resources15 MinutesSecure memory or encrypted storage. This should never be shared with more than one user.
Refresh TokenUsed to obtain a new access token1 YearSecure, encrypted backend storage only.

Token lifecycle#

When a user authenticates, Calico issues a short-lived access token and a longer-lived refresh token. The access token is used to make authorized API requests on the user’s behalf. Once it expires, the refresh token can be used to obtain a new access token without requiring the user to log in again. This ensures secure, continuous access while minimizing the risk of token misuse.
Previous
Platform API
Next
Authorization Callback
Built with